Getting single DES TGT[was Re: KDC: upgrade to 3DES]
Craig Huckabee
huck at spawar.navy.mil
Thu Apr 7 17:14:05 EDT 2005
Hi all,
I saw this discussion on krb-dev on moving to 3DES support and wanted
to ask a similar question (hopefully more appropriately on this list).
We're trying to use the Advanced Security Option in Oracle 9.x/10.x
to enable Kerberos authentication - unfortunately, they don't support
3DES keys yet and won't for the near future. Our KDC is MIT 1.3.6
running on Linux.
I've been trying to force clients to ask only for des-cbc-crc TGTs,
but haven't been able to do so. A getprinc on the krbtgt principal for
my realm looks like:
Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 3, DES cbc mode with CRC-32, no salt
Key: vno 3, DES cbc mode with CRC-32, Version 4
But even when I set:
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
on the client, I get a des-cbc-crc session key, but a 3des tkt. This
happens with an MIT 1.3.6 kinit on Linux and Solaris.
Is the KDC just picking the first key type from the list of available
encryption types, despite what the client asks for ? Any suggestions
for testing this theory (I've done some ethereal sniffs which lead me to
think the KDC is at fault)?
Help, advice, even flames welcome at this point,
Craig
PS If you work from Oracle and are reading this, get back to work and
update your Kerberos base code!
-------- Original Message --------
Subject: Re: KDC: upgrade to 3DES
Date: Thu, 7 Apr 2005 08:38:07 -0400 (EDT)
From: Shivakeshav Santi <ss488 at cornell.edu>
To: Jeffrey Altman <jaltman at columbia.edu>
CC: krbdev at mit.edu
References: <20050405203823.63766.qmail at web41502.mail.yahoo.com>
<4252FC34.7010803 at columbia.edu>
Jeff,
Following are the answeres for the Qs:
1)did you rekey your principal (aka change your password?)
yes. Following is the output of getprinc :
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
Key: vno 2, DES cbc mode with CRC-32, Version 4
2)is your client restricting the requested enctypes in the krb5.conf file?
it does allow des3-hmac-sha1 . Corresponding lines from krb5.conf :
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
3)does the client you are using support 3DES?
yes,I am using MIT kinit from krb51.3.4 .
Thanks for your help
> shivakeshav santi wrote:
>
>> HI,
>>
>> I am trying to upgrade the encryption type on the KDC to support
>> 3DES. I have made the relevant changes in krb5.conf and
>> kdc.conf(supported_enctypes,
>> kdc_supported_enctypes,default_tgs_enctypes,default_tkt_enctypes
>> :des3-hmac-sha1 des-cbc-crc)
>>
>> But when I use kinit , I only get the tickets with single des.
>> Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
>>
>> Am I missing something.
>>
>> Thank you for your help.
>
> Just a few questions for you to answer:
>
> did you rekey your principal (aka change your password?)
>
> is your client restricting the requested enctypes in the krb5.conf file?
>
> does the client you are using support 3DES?
>
> Jeffrey Altman
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
--
Shivakeshav Santi
Programmer Analyst/Senior
Cornell Information Technologies
120 Maple Avenue
Cornell University
Tel :6072551916(O)
Ability may get you to the top, but only character will keep you there .....
_______________________________________________
krbdev mailing list krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
More information about the Kerberos
mailing list